Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
6
Replies

VPN 3000: Authen. Admins via TACACS and Clients via RADIUS

zabbas
Level 1
Level 1

‎06-24-2002 07:12 AM - edited ‎02-21-2020 11:49 AM

I currently have a Cisco ACS 3.0 (Win2k Server). I have defined the vpn box on the ACS to use RADIUS (VPN 3000), clients have no problem establishing tunnels. However, I have been unable to get admins to authenticate via the ACS on the VPN 3000 server. Is there a way to setup both authentication protocols on the ACS or is there another way around this.

Labels:
0 Helpful
6 Replies 6

cjacinto
Cisco Employee
Cisco Employee

‎06-24-2002 09:12 PM

You already have defined the VPN 3000 as a network access server on ACS using Radius. You can define the same VPN 3000 as a Tacacs client too, on ACS. You just have to give it a different name as ACS doesn't want to have duplicate names for NAS clients (same ip addr, different names). The ACS would know which transactions it is for, since it would be a different protocols and port.

0 Helpful

zabbas
Level 1
Level 1
In response to cjacinto

‎06-25-2002 05:32 AM

Thanks for your help. As per your suggestion, I have defined another name for the vpn box pointing to the same address on the ACS server (and chose TACACS as the authen. protocol). So now I have 2 entries on my ACS for the VPN box (2 different names, same ip, 1 using radius and the other tacacs).

I have also done the following: config the TACACS+ server on the VPN Concentrator under "Administration | Access Rights | AAA Servers | Authentication " and tested...I get "Authentication Rejected".

When I check the "Passed Authen" log on the ACS, I can see my name in there, and the 'Access Device' is listed as the new device that I created above. The NAS Port says 'Public Interface'. So for some reason, I have passed authentication however, I still keep getting the 'authentication rejected' message when trying to get into the concentrator as an admin.

Authentication to my other switches/routers is fine, so I know that the ACS is working properly, just having problems defining the concentrator.

0 Helpful

cjacinto
Cisco Employee
Cisco Employee
In response to zabbas

‎06-25-2002 07:11 PM

Could you check your ACS profile against the sample config on:

http://www.cisco.com/warp/public/471/vpn3k_tacacs.html

It goes through both ACS and VPN 3K side.

0 Helpful

zabbas
Level 1
Level 1
In response to cjacinto

‎06-26-2002 07:43 AM

Thanks a million! The one thing that I was missing was a setting under the Group for Priviledge Level...I didn't check it off and set it to 15. Once this was done, it works. I was looking for a document like this for 3-4days...

Thanks again.

0 Helpful

paqiu
Level 1
Level 1

‎06-24-2002 09:14 PM

Cisco ACS 3.0 default can use RADIUS and TACACS+ in the same time.

For VPN 3000 concentrator, administration only support TACACS+ authentication. Need to config the TACACS+ server in "Administration | Access Rights | AAA Servers | Authentication " and tested it make sure the concentrator can talk to the AAA server correctly.

For the Remote access, as you have done, it only support RADIUS.

You can share the same ACS 3.0 server, just make sure to put remote access users and ADMIN users in different groups.

0 Helpful

zabbas
Level 1
Level 1
In response to paqiu

‎06-25-2002 05:40 AM

Thanks...This has already been done, please see my other reply.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents